Following the recent events, opportunistic cybercriminals have been spamvertising tens of thousands of malicious emails in an attempt to capitalize on on the latest breaking news.

We’re currently aware of two “Boston marathon explosion” themed campaigns that took place last week, one of which is impersonating CNN, and another is using the “fertilizer plant exposion in Texas” theme, both of which redirect to either the RedKit or the market leading Black Hole Exploit Kit.

Let’s profile the campaigns that took place last week, with the idea to assist in the ongoing attack attribution process.

More details:

Sample screenshot of the displayed video mix of videos hosted on YouTube:

Excluding the CNN themed emails, the rest contain a link to a malicious IP with the following typical for the campaign, filenames – news.html; boston.html; texas.html; cnn_boston.html.

Sample spamvertised URLs observed in all of the campaigns:hxxp://190.245.177.248/boston.htmlhxxp://78.90.133.133/boston.htmlhxxp://176.241.148.169/boston.htmlhxxp://95.87.6.156/boston.htmlhxxp://46.233.4.113/boston.htmlhxxp://213.34.205.27/boston.htmlhxxp://37.229.92.116/boston.htmlhxxp://95.69.141.121/boston.htmlhxxp://110.92.80.47/boston.htmlhxxp://62.45.148.76/boston.htmlhxxp://118.141.37.122/boston.htmlhxxp://94.153.15.249/boston.htmlhxxp://178.137.100.12/boston.htmlhxxp://24.180.60.184/boston.htmlhxxp://110.92.80.47/boston.htmlhxxp://46.233.4.113/boston.htmlhxxp://85.217.234.98/boston.htmlhxxp://213.34.205.27/news.htmlhxxp://94.28.49.130/boston.htmlhxxp://78.90.133.133/news.htmlhxxp://95.87.6.156/news.htmlhxxp://176.241.148.169/news.htmlhxxp://95.87.6.156/news.htmlhxxp://182.235.147.164/news.htmlhxxp://sistasplace.org/news.htmlhxxp://95.87.6.156/news.htmlhxxp://95.87.6.156/news.htmlhxxp://94.153.15.249/news.htmlhxxp://182.235.147.164/news.htmlhxxp://219.198.196.116/news.htmlhxxp://94.28.49.130/news.htmlhxxp://94.153.15.249/news.htmlhxxp://78.90.213.244/news.htmlhxxp://85.217.234.98/news.htmlhxxp://37.229.215.183/news.htmlhxxp://85.217.234.98/news.htmlhxxp://83.170.192.154/news.htmlhxxp://182.235.147.164/news.htmlhxxp://85.217.234.98/news.htmlhxxp://china-ptjc.com/cnn_boston.htmlhxxp://kuzenergo.ru/cnn_boston.htmlhxxp://alltomforsakringar.nu/cnn_boston.htmlhxxp://smslanens.se/cnn_boston.htmlhxxp://www.smslanens.se/cnn_boston.htmlhxxp://numeralarmowy-112.pl/cnn_boston.htmlhxxp://ochronaprawkonsumenta.pl/cnn_boston.htmlhxxp://www.vdnh.kiev.ua/cnn_boston.htmlhxxp://ochronaprawkonsumenta.pl/cnn_boston.htmlhxxp://alltomforsakringar.nu/cnn_boston.htmlhxxp://higherthanab.com/cnn_boston.htmlhxxp://business-link.net/cnn_boston.htmlhxxp://www.peaceofchristparish.org/cnn_boston.htmlhxxp://ochronaprawkonsumenta.pl/cnn_boston.htmlhxxp://smslanens.se/cnn_boston.htmlhxxp://mezdustrok.com.ua/cnn_boston.htmlhxxp://skinnee.net/cnn_boston.htmlhxxp://ochronaprawkonsumenta.pl/cnn_boston.htmlhxxp://smslanens.se/cnn_boston.htmlhxxp://numeralarmowy-112.pl/cnn_boston.htmlhxxp://higherthanab.com/cnn_boston.htmlhxxp://host321.ru/cnn_boston.htmlhxxp://econ-group.com/cnn_boston.htmlhxxp://peaceofchristparish.org/cnn_boston.htmlhxxp://vdnh.kiev.ua/cnn_boston.htmlhxxp://mannesmann.cz/cnn_boston.htmlhxxp://ochronaprawkonsumenta.pl/cnn_boston.htmlhxxp://46.40.33.20/texas.htmlhxxp://94.28.49.130/texas.htmlhxxp://219.198.196.116/texas.htmlhxxp://178.150.115.38/texas.htmlhxxp://94.153.15.249/texas.htmlhxxp://85.198.81.26/texas.htmlhxxp://37.229.215.183/texas.htmlhxxp://95.87.6.156/texas.htmlhxxp://182.235.147.164/texas.htmlhxxp://94.153.15.249/texas.htmlhxxp://37.229.215.183/texas.htmlhxxp://110.92.80.47/texas.htmlhxxp://83.170.192.154/texas.htmlhxxp://78.90.133.133/texas.htmlhxxp://83.170.192.154/texas.htmlhxxp://118.141.37.122/texas.htmlhxxp://176.241.148.169/texas.htmlhxxp://46.40.33.20/texas.htmlhxxp://213.34.205.27/texas.htmlhxxp://159.148.43.126/texas.htmlhxxp://78.90.133.133/texas.htmlhxxp://213.231.13.137/texas.htmlhxxp://219.198.196.116/texas.htmlhxxp://182.235.147.164/texas.htmlhxxp://178.137.120.224/texas.htmlhxxp://85.217.234.98/texas.htmlhxxp://85.217.234.98/texas.htmlhxxp://213.34.205.27/texas.htmlhxxp://85.217.234.98/texas.html

The first campaign is directly exposing users to the malicious executable (boston.avi_______.exe), with multiple YouTube hosted videos loading in the background of the page.

Once executed, MD5: 5ea646ffdc1e9bc7759fdfc926de7660 phones back to 77.123.40.41:80; 37.229.97.11:80; 190.18.237.20:80; 176.103.0.22:80. Once executed, MD5: 959e2dcad471c86b4fdcf824a6a502dc phones back to hxxp://5.105.102.232/home.htm.

Some of the applets in the RedKit redirecting variation of the campaign contain the following static strings “sdioolg sh ispod“.

Sample RedKit redirectors found on the malicious and spamvertised URLs:hxxp://bestdoghouseplans.com/azsq.htmlhxxp://compfixer.net/ecsr.htmlhxxp://chartspmsasia.com/weir.htmlhxxp://mcfamiliesinneed.org/czsq.htmlhxxp://techpourri.com/hhsr.htmlhxxp://pcdesires.com/hoiq.htmlhxxp://cedarpointchurch.org/azsr.htmlhxxp://kentuckyautoexchange.com/czir.html

Once executed, MD5: 86f197e0353a97b630d9b1838520ade1 phones back to 62.84.60.29:80 and to hxxp://31.128.186.162/login.htm. Once executed, MD5: 502537a985e21eb8ceccd246d1bb4289 phones back to hxxp://159.224.2.196/index.htm and hxxp://109.86.195.130/index.htm.

Now let’s sample the Black Hole Exploit Kit redirecting campaigns using the same theme, and also launched during the events from last week.